135w ago - Following up on the previous news that the PS3 v3.60+ keys were incoming, today the PS3 3.60 keys appear to have been leaked from fckyoudh on Spanish site Elotrolado (linked above) which has lead to new decrypted PlayStation 3 EBOOT fixes for CFW users.

Q: Recently 3.60 keys surfaced (lv1ldr, lv2ldr, isoldr, appldr), what does this mean for this release and the future?
A: That is actually a multiparted answer: Now that several binairies (Iso module + CoreOS minus the loaders that are inside lv0) can be decrypted, more investigation can be done in them, which give a new boost in (unrelated to the HeN) other targets, like:

Q: So does this mean a future release would be sooner?
A: Only God knows But it can also be that because of the above, it would become meaningless/surpassed by better progress. So lets all hope for the best

Also from PS3 Dev Wiki (ps3devwiki.com/wiki/Talk:Playstation_Update_Package_%28PUP%29#Adding_new_keys_to_older_firmwares):

Adding new keys to older firmware

Patch the loaders

Add keys to appldr keys index & tables

There are also npdrm keys inside appldr as well, add the 3.56++ ones

appldr,. lv2.self and game_ext_plugin need patching for new games support

vsh.self maybe too

Note: PlayStation 3 developer Rogero has confirmed he started working already.. stating eventually it will be possible to do a new PS3 CFW so EBOOT converters are not necessary.

From Sony PS3 hacker deank: They also posted my ebootFIX/ebootMOD tools prepackaged (linked above) with the keys in .ps3 folder, so it is ready to be used like in the old 3.41/3.55 days.

Have in mind that some games (like Sniper Ghost Warrior) have additional .self/.sprx files and it is better to use ebootFIX by dragging the PS3_GAME folder to it - it will find and fix all necessary files. If you use ebootMOD you'll have to search for these files yourself and 'fix' them one by one.

How to Use SCETool to Decrypt a PS3 3.60 EBOOT.BIN File Guide:

[vcdLAKERS] for those of you who want to decrypt a 3.60 EBOOT.BIN use scetool
[vcdLAKERS] download scetool_0.2.7.zip unzip it to C:\scetool
[vcdLAKERS] create a new folder inside scetool and name it data
[vcdLAKERS] and download these files here:

keys: ps3devwiki.com/files/devtools/scetool/data/keys

ldr_curves: ps3devwiki.com/files/devtools/scetool/data/ldr_curves

vsh_curves: ps3devwiki.com/files/devtools/scetool/data/vsh_curves

[vcdLAKERS] and put them inside data folder
[vcdLAKERS] put your EBOOT.BIN file in scetool folder
[vcdLAKERS] go to start - run - cmd and cd to the folder were scetool is
[vcdLAKERS] for example "cd C:\scetool"
[vcdLAKERS] then type this command to decrypt the EBOOT.BIN:
[vcdLAKERS] scetool -d EBOOT.BIN EBOOT.ELF
[vcdLAKERS] and use this one to encrypt it to 3.41 :
[vcdLAKERS] C:\scetool>scetool -0=SELF -5=APP -6=0003004100000000 -e EBOOT.elf E
[vcdLAKERS] BOOT.BIN

From Billal (aka S.B.M) comes a few corrections to the above guide, as follows:

You have to leave a space between an (abbreviated) option and a parameter not an equal sign "="
It lacks the option for key revision "-2 0004" or "--key-revision=0004"

1. So first go get the scetool (ps3devwiki.com/files/devtools/scetool/) Download the entire directory and subdirectories and unzip the latest version 0.2.7
2. Create a batch file named "eboot360npdrmfix.bat" in scetool folder with this code:

It pauses when you encrypt the file and them shows the info of the new EBOOT.BIN for you to check.
6. You should now have an EBOOT.BIN NPDRM signed. If you want to put it in the package, use psn_package_npdrm.exe to create the package.

How to Use AldosTools Applications Guide:

1. For retail disks signed with 3.60 keys: Copy all eboot.bin/SPRX/SELF/SFO files to the tool directory and run eboot_fix.bat, them copy the reasigned files to your game backup directory. This tool will reasign all files with 3.40+ keys (works on 3.40+ cfw), reasign the sys_proc_param to 3.40 and change the sfo to 3.40

2. For game updates signed with 3.60 keys: Extract the package, copy EBOOT.BIN/PARAM.SFO and all SPRX/SELF files to the bruteforce tool directory

2.1 If it only uses EBOOT.BIN and PARAM.SFO, just run eboot_fix.bat
2.2 If also have SPRX/SELF files
2.2.1 If SELF file is equal to eboot.bin use bruteforce tool and it will autodetect and just create a reassigned copy of EBOOT.BIN (deank method)
2.2.2 Else, you have to bruteforce with bruteforce tool to get the klic so you can decrypt the SELF/SPRX files and them reassign them

When you have all files reasigned, them create a fix update package. Extra: If do not want to be disturbed with game updates with 3.65+ keys change PARAM.SFO APP_VERSION to 9.99. Note: This tool can't manage sdat, edat files

Download and unrar to a folder. Also, use sfoedit to change the param.sfo to 3.55/3.41 instead of 3.60. I'll use Dirt 3 (BLES01287) in this example. Get the EP4001-BLES01287_00-DIRT3PATCHEU0101-A0101-V0100-PE.pkg patch and start Pkgview 1.3.

Drag and drop the Dirt 3 pkg patch in the left window, right click in it, and "extract to source directory"

Cut the eboot.bin from the "PkgView_1.3\EP4001-BLES01287_00-DIRT3PATCHEU0101-A0101-V0100-PE\BLES01287\USRDIR" and paste it in the SCETOOL folder. In the SCETool folder hold down the shift button+right click in the window and choose "open cmd window"

Write "ebootfix EP4001-BLES01287_00-DIRT3PATCHEU0101" and it starts decrypting the file. Take the EBOOT.bin (not ORGINAL_EBOOT.bin) and copy it back to the USRDIR folder you first got it.

Now cut the BLES01287 folder and paste it in the psn_package_npdrm folder (package.conf in here needs to change package version from 1.04 to 1.01 but the rest is already setup for DIRT3). Again, open a cmd window (shift+right click) and write "psn_package_npdrm.exe package.conf BLES01287"

Wait until finished, install the new pkg and play Dirt 3. Guide works for all 3.60 games/patches (WITHOUT selfs & sprx files These are ten times harder to decrypt and fix up to a proper retail level...) Hope someone gets some use from this

You must copy the keys (. Ps3keys) in your user folder (C: \ Users \ XXXX \. Ps3keys) if you have Windows, if you want to use Cygwin or Linux you get the keys (. Ps3) in your user folder (home \ XXXXXX \. PS3), you should copy the two folders.

Just put in the command (cmd / terminal) the command to decrypt would be: EBOOT.BIN unself EBOOT.ELF

To encrypt this: EBOOT.ELF make_self EBOOT.BIN

The easiest is to drag the console, otherwise you must move the directories to where the exe / bin and decrypt / fix are.

I was bored and so I have written a little tool which grabs the latest "hack status" of the PS3. I think the screenshot below says everything. I hope you like it. I'm thankful for suggestions, bug reports or anything else. So long.

It's important to note that currently PS3 CECH-3nnnX/CECH-4nnnX (and some CECH-2500X) console models cannot be downgraded though.

v0.2 Changelog:

hackable firmware fixed

firmware downgrade information added

key information added

DEX converting information added

PlayStation 3 developer Deviance has made available FreeLoader v0.1 followed by FreeLoader v0.2 which is a PS3 EBoot Grabber with the following features:

This application is designed to make life easier to download Eboots. Since it's the initial release, The database is still quite small but will be updated over time to add more additions. Very simple to use. Click the game and press go!

What's new?

Initial release

Notes

Planning on adding descriptions and make sure you are using the latest eboot

Buy me a beer! (Info in about tab)

If the eboot download gets removed. Just wait and a new link will be in the db.

Update

Database updated

If you're experiencing graphical issues when running the application, try this version.

About

Freeloader is an app for windows that has a database full of the latest 3.60 Eboots to be easily downloadable.

You have to just enter the title ID and after click on "Do It!" it will automatically download patches and then fix the latest one for you. This app also has an option that will fix EBOOT.BIN without downloading updates.

FYI:

1- if you have downloaded files before and you just want to fix them put them in application's folder.after checking the sony server if file exists it will skip that file and will start to fix
2- to copy download Download Link double click on it
3- this app doesn't changes PARAM.SFO (Some times changing PARAM.SFO causes some problem in packing) to prevent Update error enable the spoof on your cfw
4- here is a example of which files to install
for example i want to update and install Gran Turismo 5

After download finished the application will automatically fix the latest patch (in this case:"EP9001-BCES00569_00-0000000000000000-A0113-V0100-PE.pkg") and will make a new file which is fixed for 3.55 with following name: EP9001-BCES00569_00-0000000000000000.pkg (The last part of name has been removed.)

You need to put this into a folder with scetool, data / keys etc. working. Then drop an eboot.bin and decrypt it with scetool into eboot.elf. The drop an encrypted self, or sprx and modify the bat file a little perhaps.

The needed linux tools like od.exe, sed.exe, can all be found in the package above. If you want to test with say, portal 2 sprx files, you can try starting at offset 608600. MW3 around offset 54272.. The batch file is not perfect. On large files, the CUT command starts to malfunction as i don't take this into account with the sed/cut combo. Some PS3 game key examples are located HERE and also below in full.

From deank: The other day someone sent me eboot+self for "Ryu ga Gotoku of the End" (Yakuza). It is one of these games (like Rock Band 3) which cannot be 'decrypted' using a k_lic, so here is the "ogrez.self" patched for 3.55.

You can prepare a fixed update pkg by using the original pkg + the fixed eboot.bin and this fixed ogrez.self. It is pretty simple once you figure it out

You will notice that in some game updates you have:

EBOOT.BIN

blabla.self

Where both files are "the same". They are not 1:1 the same, because they're encrypted with different keys, but if you look at the prog/data sections and the offsets - you will see what I mean. Also the sizes are the same. I noticed this 'update' approach back in 2010 with "Prince of Persia TFS" and with some other games, so I decided to try that. Both in this game and Rock Band there are no references to the .self and no k_lic... either.

What you have to do is:

1) Decrypt the EBOOT.BIN to .elf
2) Use scetool to create NPDRM NPTYPE=UPDATE with key 00, contentID=game-update-content-id, and np-original-name=name_of_the_self.
3) You get the new blabla.self and use it

For example for this yakuza game you'll notice that the info for the eboot.bin and the ogrez.self are the same:

There is no universal approach. Sizes must be equal (not more or less) and to be sure that there is no k_license involved you can either check if the .self is referenced in the eboot.bin or you'll have to use IDA to make sure that NP functions use NULL k_lic... (or find the k_license location in IDA using the NP functions).

Note: This is just a proof-of-concept, I wanted to know how the whole SELF/SPRX stuff worked. It doesn't contain keys or any proprietary tools from Sony, and as far as I know, it's not doing anything illegal.

From JLM: In case anyone is not sure how to use the script:

1. Use scetool to decrypt the eboot.bin, copy eboot.bin to the scetool folder, use command scetool -v -d eboot.bin eboot.elf, screen output should be (brackets removed from around *'s because it screws up the post formatting):

2. Use scetool to decrypt the sprx with Asure's script, unpack his bruteforce.zip in the scetool directory, copy the sprx to the scetool directory, use his script or the following which is slightly different: rename the sprx to exactly this: game.sprx, using notepad create a text file and paste the script contents:

Save the file as sprxdecrypt.bat, open a command prompt window, type: sprxdecrypt.bat wait a long time.. ONLY FOR THE VERY PATIENT.

Tiny changes to Asure's script: changed filename to game.sprx and game.prx, change it to whatever you like (remember to use the same name in the test line after "IF EXIST") also removed extra -l %key% in the scetool command line.

It has a slider for a more convenient selection of the offset. The cut.exe / dd.exe / od.exe / sed.exe / batch files are not needed. Just put it in the same folder of the scetool.exe, with the EBOOT.BIN and the .self or .sprx to be decrypted, start the BruteForce.exe and press the Start button. Tested working with Red Dead Redemption. Added support for command line parameters.

Example: BruteForce.exe 332300 /start

Anyway I improved the BruteForce.exe a bit more:

Added additional checks when the program starts

Now the tool auto-resigns the EBOOT.BIN and the self/sprx with the 3.55 keys when it finds the klic

Small GUI changes

Included all the tools in a 7z archive

In Portal 2, the klic key is not aligned to 4. Thus the faster method (4X) will not find it. So, I made BruteForce 1.4: It first try to find the key in a range aligned to 4. If it doesn't find the key, then it retries using the original method (1 byte at a time).

The method is similar to the original batch, but bytes aligned to 4 are tested first. Keys already tested, are ignored. In this version also it is possible to define the range to parse (start and stop addresses). Additionally, I added other data aligments: 1, 2, 4, 8 and 16. So in some cases, it could be up to 16X faster than the original method

Nice. Is there a proper English guide to doing this? Just would like to know how to decrypt and encrypt these EBOOTS myself just to know. Already have all the tools and can make psn packages but never tried to mess with EBOOTs before. Thanks.

Stop address field can be set from the DOS box selecting an initial address then double click on the final address

Updated to version 1.5.2:

Solved the issue finding the key for SOCOM 4 (the real key contains *0000* which was in the ignored patterns)

Now the patterns to ignore can me defined in the file "ignore_patterns.txt". It includes 4 by default, but you can add all/remove the patterns that you want.

TIP: If you use data alignment 16, if the klic key is not found in the selected range, the tool will retry automatically using data alignment 4, then data alignment 1. The BruteForce 1.6 has the "pre-database of known keys" already implemented. It now first tries the known keys first (read from klics.txt). I went further: the program now first extracts the ContentID, and puts the klic for the TitleID as the first in the list.

I uploaded version 1.6.1 and 1.6.2 is up:

Added Asure to the credits.

This version now has an experimental dynamic section alignment (it first tries using the alignment of the section).

The section index is now displayed.

I changed the &H to 0x in build 1.6.5 (available online) Added the KLIC for Tom Clancy Splinter Cell Trilogy HD (1.01) [BLES01146] (thanks to andreus and PatrickBatman for all the klic keys in the database). Added the patterns for the above scenario.

I tested the new version and i saw you encrypt with the klincensee. yes, now it is encrypting with the klicensee and SPRX (and compress=true and skip sections=fase are now the defaults)

I removed almost all the windows updates while it is minimized and made small code optimizations to create/move less strings while it's processing. I don't think they will make much difference, but at least I tried

BTW: Notice that same klic is used in different regions.

BruteForce/SCETool Decrypter Build 1.7.6:

If they match (i.e. no differences) then there is a very good chance that you only need to re-self the eboot.bin to the desired .self without the need of a license key.

It can suggest to the user that it is possible to create the .self for testing.

This build 1.7.11 now supports another tool (aldostools.org/temp/testklic.rar) developed by andreus to test the klicensee. Extract the content of the rar in the same folder of the BruteForce.exe. In our tests it worked faster than scetool. The user can select which tool want to use to find the klicensee (scetool or testklic).

BruteForce/SCETool Decrypter Build 1.7.12: A klicensee finder using scetool (based on Asure's brute force script) with heuristic algorythms for brute force attack. Once it finds the klicensee, the tool resign the EBOOT/SPRX/SELF with 3.55/3.40 keys. It also includes my FixELF tool.

I have updated the BruteForce to version 1.7.12 and my PS3 Tools to use the lowest key revision (01) and 3.40 by default.

For BruteForce, the default option now will be 3.40 (it can be switch to 3.55)

If the PARAM.SFO is copied to the BruteForce-scetool's folder the BruteForce.exe will auto-patch the sfo's PS3_SYSTEM_VER to 3.40.

If you use my PS3 Tools to make the PKG (just right-clicking of the folder), now it will auto-patch the PARAM.SFO to 3.40 if PS3_SYSTEM_VER is higher than 3.40.

If you need to patch a PARAM.SFO from a batch file, use my latest PARAM.SFO Editor 2.5.3 like this:

The BruteForce is a tool designed mainly to *FIND* the klicensee used to encrypt the NPDRM self/sprx files found in game patches/updates. Currently it supports files signed with up to 3.6 keys (mainly 3.56 and 3.60). If 3.7+ keys are available, the tool should also work (updating the keys in the data folder).

To find the klicensee you will need to copy the EBOOT.BIN, the self/sprx files and the PARAM.SFO to the BruteForce/scetool's folder.

If the klicensee is already known, it will take few seconds to resign the EBOOT.BIN and the self/sprx files. Otherwise it will use optimized methods to try to *guess* the klicensee in few hours.

Once the klicensee is found, the files are resigned with the keys from key revision 01 [0.92 - 3.30], which should be supported by ALL firmware versions available.

To resign files and repack PKG, I suggest that use the PS3 Tools Collection (which also includes the BruteForce).

To resign a disc EBOOT.BIN/self/sprx, just press Ctrl+Enter on the file and it will be resigned. If you double click (or press Enter) on the EBOOT.BIN or *.self or *.sprx you will see the file's information (including key version used).

To resign NPDRM files, extract the PKG (use the right click menu), browse to the USRDIR and press Ctrl+Enter on the EBOOT.BIN/self/sprx files. Then return to the folder where the PKG is located and right click on the extracted folder and select Make PKG.

It will modify automatically the PARAM.SFO to work with 3.40/3.55+. It will also detect the type of PKG being created (disc patch, game data or hard disk game). So there is not need at all for batch files or edit package.conf. Everything is automated.

Another nice feature is the repack of retail PKGs for use with DEX converted consoles. Just press Ctrl+Shift+Enter on a PKG and the tool will automatically extract the PKG and repack it as a debug PKG. To extract a PKG, just press Shift+Enter on the PKG. And to view it's Content ID, press Ctrl+Enter on the PKG.

TIPS:

If you select Make PKG on a PS3_GAME folder, it will call the PS3RIP tool.

If you select Make PKG on a PS3_UPDATE folder, it will call the Create_PS3_EXTRA tool.

All tools are accessed from the PS3 Tools Menu. You can use it from other PS3 related tasks, like add links to your favorite scene news sites or open folders where you put your PS3 files. You can return to the menu clicking on the blue jewel icon.

For the PS3 Game Updates, it is suggested to set the target version to 3.60

If you need to remove ALL the file associations created by the tool, there is a .reg file in the tools folder.

For BruteForce, try extracting this AddOn (developed by andreus) in the scetool's folder (it should help to make the brute force work faster).

Big thanks to Asure, naehrwert, flatz, deank, andreus, PatrickBatman, BLKDTH, JLM, opoisso893, Matsumot0, catalinnc, and many others that I could be forgetting.

PS. The BruteForce/scetool does NOT crack NPDRM files (DLC or games) that require RIF/RAP/edats.

BruteForce/SCETool Decrypter Build 1.7.13:

I just updated the BruteForce to version 1.7.13 with the new option "Dont use tried_keys list"

BruteForce/SCETool Decrypter Build 1.7.14:

The testklic was using the default key version (I was not passing the key version as parameter).

BruteForce/SCETool Decrypter Build 1.7.15:

This new version has the "shutdown" option and prompt to auto-update the database when a new klic is found.

If shutdown option is active, it will not prompt and will auto-update the online database automatically.

Tested the Ridge Racer 7 with the updated .ps3 keys and it seems to be working fine again using testklic app by andreus.

BruteForce/SCETool Decrypter Build 1.9.0.2:

Updated the .ps3 keys folder based on ps3devwiki.com/wiki/Keys#Appldr

There was still errors in the proper keys included yesterday from testklic app by andreus. The drm-key-55 and drm-iv-355 were the 3.50 (rev 0x07 np). I also found other errors in the keys. Also included the keys in "key revision" format.

The BruteForce now calls the testklic app using "key revision" instead of "firmware version" (as requested by andreus).

Added BruteForce association to folders. Now you can decrypt/resign a PS3 game folder using Right-click -> BruteForce...

Internal changes: changed some static values to parametric values read from the registry.

Reverted the resign files (when encrypt: 3.55 option is selected) to use the keyset 0x0A (retail type 0). It was changed it in 1.9.0.1 to 0x0B (retail), but I forgot to revert it to 0x0A.

Updated the klics.txt with the klics of MAG update 2.12 (found Omnomnom) and Final Fantasy XIII-2 update 1.06 (posted to the online database)

BruteForce/SCETool Decrypter Build 1.9.0.3:

A minor validation to ensure that testklic is used only for NPDRM files

BruteForce/SCETool Decrypter Build 2.0:

I updated BruteForce to version 2.0... Sorry, but no fancy features. This new build now includes make_fself.exe and the GUI let you set the target system (CEX or DEX) for re-encryption.

It now uses make_fself_npdrm.exe for NPDRM content and make_fself.exe for retail content.

The program uses make_fself_npdrm.exe or make_fself.exe when DEX is selected (depending if the files are NPDRM or retail). For CEX it still uses scetool.exe.

BruteForce/SCETool Decrypter Build 2.0.2:

Today I updated the BruteForce 2.0.2 package again... but this time the update is not related to any of the tools, but related to the ps3 keys (both .ps3 and SCETool's keys file).

Here is the background: Yesterday I decided to recheck the .ps3 keys and realized that it was a bit difficult to edit/fix the keys using just an hex editor. So I created this tool to review the keys and edit them with a little more ease.

BruteForce/SCETool Decrypter Build 2.0.3:

I can't believe that I missed the most simple KLIC test... (test decryption of SPRX/SELF without KLIC)... fixed in BruteForce 2.0.3

BruteForce/SCETool Decrypter Build 2.1.0:

Added conversion to fself (DEX), fixed issue with files with space in the file name

BruteForce/SCETool Decrypter Build 2.2.0:

It now integrates the "blazing fast" test tool by MAGIC333X

If the tool does not find it using this new tool, it continues using the old methods

If the key is found, the BruteForce resigns the EBOOT and self/sprx as usual.

Indeed I already integrated it in the scetool-BruteForce version 2.2.0.

BruteForce/SCETool Decrypter Build 2.2.3:

So I tweaked the tool in version 2.2.3, to set it to the improper parameter --self-app-version=0000100050000000, which returns the proper "App Version" 01.05. Other changes in version 2.2.3 are:

FixELF is now applied always to the EBOOT.ELF (before it was applied only if the key version was higher than 3.40)

testklic now uses the key revision from the SELF/SPRX (before it was using the key revision from the EBOOT.BIN)

Now using the KLicence Brute-force Tool v1.2 (2012/10/07) and showing a progress bar

Small speed improvement: if TITLEID is found in KLICS.TXT, it's the first klic to try (before it always tested first noklic)

BruteForce/SCETool Decrypter Build 2.2.5:

Setting the Self App version from PARAM.SFO is now an option
(if the SelfAppVersion is unchecked, the tool will use the App Version from the SPRX/SELF)

Testklic now uses the key revision from the SELF/SPRX (before it was using the key revision from the EBOOT.BIN) was not working properly... fixed in 2.2.5

It now has support for download the patch files on demand from the online database at github maintained by gingerbread.

The database currently has the patches for approximately 170 game ids. And considering that some patches can be used also on other versions/regions of the same game, it could grow easily to near 500 game ids.

I also added support for listing of grouped cheats.

BruteForce/SCETool Decrypter Build 3.8.14: New in this version: added to the patch engine a new function for ADD calculation in a range of bytes (ADD, WADD, DWADD, QWADD).

Tip: After you resign and replace your trophies, it is required to Rebuild Database through Recovery Menu, and launch a game that will do "Sync Trophies" on it's startup in order to get the trophies working properly.

Update: I have updated the PS3 keys tool to version 1.1. Now it can convert SCETool's keys file to .ps3 (click on the big blue icon) I used the .ps3, data/keys and ps3devwiki Keys article for a three-way comparison. And found some mistakes in SCETool's data/keys file and some missing keys in ".ps3" and others keys were wrong. Not to talk about all the mistakes in the PS3 dev wiki already discussed here some days ago. So I did the best that I could do and fixed the files included in the updated archive of BruteForce 2.0.2.

The tool now shows a visual alert (a red cross icon) when the key if found in the scetool's Keys file, but the revision in the file name doesn't match the revision found in the section of the Keys file. A green check mark icon means that it was found in the Keys file and matched the version/revision.

Since version 1.1, the tool allows to convert the scetool's Keys into .ps3 keys binary format. Click on the big blue icon for the menu... I know that menu it is not intuitive but I love to hide features.

PS3 Keys 1.3

Version 1.3 adds a report of keys in HTML and 'next' button to find the bad keys.

PS3 Keys 1.5

Bruteforce + Testklic not working key set problem fixed

PS3 Keys 1.5.1 / 1.5.2

Updated keys again

I just discovered that unself2 also can decrypt with klic. A little nasty, but it can.

1. Go to github.com/granberro/ps3tools, download and compile the tools with Cygwin.

2. Add the keys (ps3devwiki.com/files/devtools/ps3keys/) to your /home/xxxx/.ps3 folder
3. Add the missing npdrm keys (app-iv-102f, app-key-102f, app-pub-102f, app-priv-356, free_klicensee-key, klic-key, npdrm-const and rif-key) to .ps3 folder
4. Hex edit /.ps3/free_klicensee-key and put the klic there
5. Then "unself2 xxxx.self xxxx.elf" (it will give a warning, but compare the elfs with this and scetool, you will see they are the same)

So it does the same scetool does. Don't know if this is faster, but it works.

Finally of note, HoNo posted (via ps3club.ru/forum/showpost.php?&p=721795&postcount=1) what he claims were 3.70 keys (below) but they were quickly deemed fake as pictured HERE.